Chrome Runs Through Some 50 Million Fuzz Tests per Day Scanning for Vulnerabilities

Google has a massive fuzzing infrastructure and it's expanding it

Security is a big concern for any software maker, but browsers are at the forefront and the ones targeted most often. Browser security can't be overestimated and browser makers are constantly looking at ways of improving the security of their apps.

Security has been one of the cornerstones of Google Chrome since the project got started and the company is sparing no resources in maintaining it.

One way it's keeping Chrome users safe is with fuzz testing, a method employed in security testing in particular. The browser is fed random data and inputs and its response is tracked.

Google has several hundred virtual machines, which are collectively known as ClusterFuzz, running some six thousand Chrome instances at a time. Those instances are put through their paces constantly and Google runs through some 50 million tests each day.

As you can imagine, no human can work at that pace or at that scale, much of the process is automated, not just the testing itself, but the way the test cases are created, crash analysis and so on.

"ClusterFuzz automatically grabs the most current Chrome LKGR (Last Known Good Revision), and hammers away at it to the tune of around fifty-million test cases a day. That capacity has roughly quadrupled since the system’s inception, and we plan to quadruple it again over the next few weeks," Google explained.

Google says that the system has proven very useful so far. It's only been live since the end of last year, but it caught 95 distinct vulnerabilities so far, 44 of which were fixed before Chrome was pushed to the public, fixing the browser before it even made it into people's computers.

"As we further refine our process and increase our scale, we expect potential security regressions in stable releases to become increasingly less common," Google explained.

"Just like Chrome itself, our fuzzing work is constantly evolving and pushing the state of the art in both scale and techniques. In keeping with Chrome’s security principles, we’re helping to make the web safer by upstreaming the security fixes into projects we rely upon, like WebKit and FFmpeg," it added.